February 16, 2010

B2B Cyber Security Lawsuit | Guerrilla Publicity Dogs Bank Online

Populist Politics

The web changes how public disputes are contested. Inexpensive web 2.0 publicity disrupts the balance of power.

Internet Bank Robbery - The Facts

After computer thieves stole [Krebs] $200,000 from the bank account of Hillary Machinery Inc., the company demanded reimbursement from its bank, PlainsCapital Bank. The bank refused. Thus began one of the most gripping cases in the history of computer security law . . . and a lesson in how to use the Internet as a populist podium . . .

Apparently the investigation of the heist has not determined conclusively how the hackers succeeded in tricking the bank to transmit money out of the account. Each party believes the forensic investigation proves it is blameless.

The Law On Internet Bank Robberies

The legal relationship between Hillary and the bank is largely governed by Uniform Commercial Code Article 4A and the banking agreements signed between the parties. In a case like this, an essential issue is whether the bank employed commercially reasonable security procedures when it acted upon what purported to be electronic payment instructions from Hillary. The bank maintains that its security was reasonable, and therefore it need not reimburse the money.

As this dispute escalated, Hillary might have sued, possibly in Texas state court or possibly in federal court.

But the bank seized the legal initiative. It sued Hillary in federal court! The bank may have calculated that a federal court would review this complex, technical case more thoughtfully than a state court. So it preempted from Hillary the option to sue in state court.

From the federal court, the bank seeks an affirmation that its security was reasonable. In essence, the bank said Hillary had called into question the integrity of the bank's operations, and the bank is entitled to clear its name by way of litigation.

The bank is forcing Hillary to spend money on lawyers, quite possibly hoping Hillary will decide this quarrel is too expensive, too much trouble and will settle and shut up. From the perspective of traditional litigation strategy, the bank is probably in a stronger position because it can afford to spend much more on lawyers and technical experts to fight the case.

Internet as Populist Bullhorn

This is an unusual lawsuit. But it has taken an even more remarkable twist. Instead of cowering, Hillary has gone on the publicity warpath. On its primitive web page, Hillary complains noisily about the bank and its security.

It started working with other interested and knowledgeable parties, and is shouting from the virtual rooftops, “Can you believe this? Hackers stole $200,000 from my bank account, and then my bank sued ME!” That's one newsy sound bite.

Hillary has attracted quite a few news stories (including in the Dallas Morning News and the Denver Post), much of it favorable to Hillary. The most sensational is a TV report on Fox Business, which is posted on the web. Hillary of course points to many of these reports from its web site.

What's more, Hillary affiliates appear to be posting pointed comments on web discussion threads. When a popular Dallas news blog wrote an unrelated story about PlainsCapital, someone apparently associated with Hillary posted a comment saying (paraphrase) “Thieves stole money from our PlainsCapital account, and then PlainsCapital hauled us into court!” linking to the Fox Business video. [Another example: see the second comment, from Amanda, below this post.]

Someone who appears to be the spouse of a Hillary co-owner vocally discusses the case in an online forum, complaining about the bank and pointing to the media reports.

This controversy between Hillary and the bank now dominates the Wikipedia page about the bank. Can this be good for the bank?

In the public comments to a key blog article on the lawsuit, one observer sympathetic to Hillary finds that the bank has published a job posting for a wire transfer risk specialist. The observer suggests, yeah, they need someone with those skills! The actions of this "observer" (Is he or she affiliated with Hillary? A volunteer? Who knows.) give the impression that the public is rallying to Hillary's aid.*

The bank hasn't said much to defend itself in public. The bank's tight-lipped approach (“our lawsuit speaks for itself”) hasn't played well. There is no way all this chatter on the web has been good for the bank's reputation. The damage to the bank's image could far exceed $200,000.

Hillary is a reasonable-size mom and pop business ($35 million in 2008 annual sales). PlainsCapital ($4.4 billion in assets) is much larger. The bank's old-style approach – let our lawyers do our talking – seems to have enabled populist underdog Hillary to land some blows on its opponent.

Although many details about this case are known to the public, many are not. We don't know, for instance, everything about the security or insecurity of Hillary's computers or whether the bank had offered Hillary some additional security procedures that Hillary declined to use. (An example of additional security might be sms text messages to cell phones of Hillary officials as each and every event transpires within the bank account.) The bank may have a stronger story here than it has revealed so far.

Cyber Publicity is Faster Than a Lawsuit

But as things are going now, the bank may not have a good chance to tell its side of this cybertheft story. Internet-driven public opinion may solidify long before the bank can explain.

Talking on the web (Hillary's approach) is fast and cheap. Talking through lawyers in the courtroom (the bank's approach) is slow and expensive.

Publicity is different today than it was a few years ago. In the past, an unflattering report might appear on TV or in a newspaper, and then it was gone and few would remember. But media reports today live persistently on the web. Months-or-years-old reports can show up when prospective customers google “PlainsCapital Bank.”

This squabble is not over. But as of February 16, 2010, little Hillary seems to have exploited the web as an asymmetrical weapon against a larger adversary.

Update: Resolution May 2010

Hillary and Plainscapital settled their their lawsuit, and agreed to keep the terms confidential. The settlement came two days after the court rejected motions by Plainscapital that the case go to arbitration; Plainscapital apparently wanted arbitration because it felt a public trial was less likely to deliver it a net benefit. It is hard for me to conclude that this lawsuit was good for Plainscapital. The bank started the lawsuit. The bank's apparent goal was to clear its name and reputation. The bank did not achieve its goal.

–Benjamin Wright

Mr. Wright teaches IT security law at the SANS Institute, where he stresses how critical public communications (policies, notices, banners, warnings, contracts, subpoenas, interviews, social media, press releases, declarations in court and much more) are to effective cyber defense, negotiations and investigations.

* Gadzooks. Notice how easily a grumpy member of the public was able to dig up a choice detail about PlainsCapital (its job posting for a risk specialist) and link to it from a well-trafficked location with an unfavorable comment. The world did not operate this way a few years ago. Organizations like PlainsCapital live in more of a fishbowl today than they once did. Organizations must re-calibrate how they make and maintain their public images.

[Note: Since I originally posted this article, Hillary Machinery and its affiliates have contacted me and asked that I correct a couple of factual errors. Based on what they said and what I read elsewhere on the web, I have revised my article here. If anyone believes that I have made a mistake here or any other place, I ask that person to telephone me promptly at 1.214.403.6642.]

Comments

You can follow this conversation by subscribing to the comment feed for this post.

While PlainsCapital made the preemptive legal strike, Hillary has preemptively struck in the PR war. And as you noted, they may have done so decisively. By the time any court decisions are reached there will be so much bad publicity showing up online the bank will need years to undo the damage. And even then it will only be possible if the bank did have other security measures available and they were turned down by Hillary.

PlainsCapital Bank received $84 million in TARP funds. They are using federal tax dollars to sue their own customer. Alan B. White is quoted as calling TARP funds "Investment Capital". Just one more reason why Hillary Machinery has people in DC at this very moment meeting with congressional staff.

Amanda: Thank you for posting your comment. I am blogging a lot about the PlainsCapital v Hillary lawsuit/dispute because it is a pivotal case in the history of computer security law. As between the parties engaged in the dispute, I am neutral and independent. My decision to allow your comment to be published on my blog does not necessarily indicate that I agree or disagree with what you said.

Although I am reporting and evaluating the impact of the statements by parties in this conflict, I am not encouraging or discouraging them. I am not evaluating whether statements are right or wrong, correct or incorrect.

If any person thinks I am doing anything wrong, I ask that person promptly to telephone me at 1.214.403.6642.
--Benjamin Wright

Another legal issue I haven't seen discussed: Usually if a suit like this is settled out of court, there is some agreement among parties that they will not discuss the case further, and the publicity stops. But the many posts about this case will live on the internet and archives forever.

Most of the posts I've seen aren't from people who had ever heard of Hillary before. But tech people who have dealt with security breaches and can easily imagine themselves or their clients in the same position. Add that natural sympathy to the fun involved in doing some amateur sleuthing about the case, and Hillary doesn't even need to seed blogs with comments.

Not all comments about this controversy on the web are unfavorable to the bank. Stephen Northcutt of the SANS Institute generally observes that, in theory, a bank in a cyber theft incident must be wary that the customer colluded with thieves to stage the heist.

That there could be collusion with the bad guys. It goes both ways. It's possible in cases like this for someone at the bank to be in cahoots, too. Although hopefully that is a much less likely scenario.

We can't really know what happened, since PlainsCapital isn't talking. With the information Hillary is putting out it looks very bad for PlainsCapital. I still say that, unless PlainsCapital can bring out something totally unexpected they're going to lose - but the fact I have to put that caveat in says it's all still up in the air, however done it may look from out here.

Jim Woodhill of http://www.authentify.com sent me an e-mail because he tried to submit a comment, but the system would not take it. So I post Jim's words here:

"[I]f you think this is a PR disaster for PlainsCapital Bank *now*, just wait. It can get a *lot* worse.

"Are you going to be at the 2010 RSA Security Conference this coming week? If so, if you want to hear how, just meet me at Authentify's booth (#732), and I will be happy to share my speculations on how PlainsCapital's situation can get 'qualitatively' worse, not just 'quantitatively'.

"[Benjamin], this is not just an interesting PR skirmish, it's a matter of national concern. Local and regional banks like PlainsCapital are not just an important part of the American economy, they are an important part of American society. It is not in the public interest for every small- and medium-sized enterprise in our country to decide as one that they have to move their accounts to J.P. Morgan/Chase Bank or risk losing everything to cyber-thieves. But that is the message PlainsCapital Bank and every other bank that Brian Krebs writes about on this issue is sending."

"He is completely correct, but seems unaware of how Congress has decided similar questions when forced to speak on such issues by private-sector irresponsibility. As a 'Club For Growth' Republican, I hate the idea of more congressional micro-managing of America's financial services sector, but I cannot see how it can be avoided with so many cases in so many congressional districts."

I would offer that Mr. Northcutt is at least close to the line regarding his Editor's note with regard to this case. To restrict his comments to one loose hypothetical and accusatory angle footnoting our case is as ill-advised as it was for PCB to file a pre-emptive lawsuit publically calling our 25 year record of fiscal and moral soundness into question before the world; you see what that has cost them so far.

Notwithstanding, and in respect to Bert for his comments, "commercially reasonable" security and some semblance of fraud detection would have stop even a colluded criminal act had it contained such blatently unusual circumstances. Anyone caring to peruse the details already made public can see that.

Quite simply, I think prudent and reasonable people would agree that a bank's security measures are NOT "reasonable" if they allow a customer's account to be accessed then looted by Eastern European cyber criminals of hundred's of thousands of dollars over the course of 2 days and in a manner so inconsistent with the account holder's normal transactional history. Rather than spend so much time and energy defending a DEFEATABLE SECURITY SYSTEM, trying to DISCREDIT and more recently trying to DEFAME a victim of it (namely Hillary Machinery Inc), PCB and their counsel should do just a little research on the plethora of well documented cases of cyber crime events involving Eastern European cyber criminals and focus on protecting the customers they still have

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.